近年來網路攻擊事件層出不窮,而在所有的攻擊行為中,易造成巨大損害的是分散式阻斷服務攻擊(Distributed Denial of Service,簡稱DDoS)。由於攻擊者大都會偽造封包的來源位址,以隱藏攻擊者的位置,造成追蹤攻擊來源不易,所以本論文提出利用封包標記的技術來判讀攻擊發起與追蹤攻擊者的來源位置,並協同重疊網路防禦系統進行精確位置之阻擋攻擊流量,以達到阻擋DDoS攻擊之目的。封包標記是利用IP標頭一些很少使用的欄位,以機率來選擇填入封包經過的部份路徑資料,縱使攻擊者偽造來源位址,也可以從多個封包的記號找出攻擊路徑資訊,同時提出利用封包標記的路徑資訊來發現不符合繞徑位置的來源位址,協助判讀攻擊封包之發生。最後本文以實作來證明封包標記技術應用於協同追蹤與防禦系統的可行性,並將本文所提出之利用標記的路徑資訊來判斷攻擊封包之方法整合到Snort的偵測功能,實驗結果顯示本系統可以追出攻擊來源,且有效阻擋DDoS攻擊。 With the extreme popularity of Internet, network attacks emerge in an endless stream in recent years. One of the most serious attacks is distributed denial of service attack (DDoS), which easily causes large damage. DDoS attackers usually forge the source address of IP packet to hide their positions such that it is difficult to trace back attackers. To alleviate DDoS, this work takes advantage of the packet-marking method to trace the attacker’s location, as well as to detect DDoS attacks. Once detecting and locating DDoS attacks, this work initiates an overlay-network defense system to block the attacks. The basic concept of the packet-marking method is to insert some route information into rare-used fields of IP header. The insertion is based on probability. Even if attackers forges the source address of IP packet, this method can find out the attacking path by using the route information carried by the marked packets. With the attacking path, our work is also able to detect some attack packets, which have same source address but come from different far routers. Finally, this work implemented a system based on the packet marking method and the overlay-network defense approach. And this work integrated a new detection method based on packet marking into Snort. The experimental results show that our system can detect, locate, and block DDoS effectively.